Phishing is just spam being used to trick people into revealing some information to the phisher, and relies very heavily on social engineering to succeed. By blocking spam effectively, the bait never reaches its target, and the opportunity for deception is crushed.

Phishers are now sending more targeted emails to businesses and these e-mails are designed to appear as though they were sent by another member of staff at the same organization, typically from the IT or HR departments. It seems that people will share their passwords fairly willingly via e-mail if the trust the source. It doesn’t hurt that this new breed of phisher promises treats to those who cooperate or threatens the employment of those who don’t.

In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.

This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks.

By spear phishing one company at a time, a phisher need only send emails to a single domain, spoofing the sender address and requesting usernames and passwords to validate some information, or providing a link to a spoofed version of the company’s website or intranet – or perhaps that of a business partner or supplier.

Many people often use the same username and password for different applications or websites, and the phisher may try and use that to their advantage in their social engineering.

It is surprisingly easy to use existing spam-sending software to dynamically generate the target email addresses, for example by combining databases of first names and last names with letters and numbers. Furthermore, it would only take a few hundred such permutations to provide a valid email address in a large organization.

Additionally, a sustained attack of this nature can quickly become a huge drain on the company’s email server, sapping its resources as it attempts to handle several hundred or thousand connections for emails that can never be delivered to recipients that don’t exist.

Nevertheless, a successful spear phishing expedition can reduce the effort required to break into a company’s network without too much difficulty.

Not only are the individual’s details potentially compromised; it can also lead to theft of intellectual property and other sensitive corporate information. Spear phishing is growing fairly quickly as a threat to corporations.

More